Overview PCI DSS 4.0’s New Requirements

PCI DSS 4.0 the updated security payment standard’s goal is “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information, the PCI Security Standards Council says.

New in PCI DSS 4.0?
The 12 core PCI DSS requirements did not fundamentally change with PCI DSS v4.0, and they remain the critical foundation for securing payment card data. However, the requirements have been redesigned to focus on security objectives to guide how security controls should be implemented.

The key high-level goals for PCI DSS v4.0 are:

  • Ensure the standard continues to meet the security needs of the payments industry.
  • Add flexibility and support of additional methodologies to achieve security.
  • Promote security as a continuous process.
  • Enhance validation methods and procedures.

Stronger Authentication Requirements
Identity and access management (IAM) plays a crucial role in safeguarding cardholder data, and the new version of the standard recognizes that.

PCI DSS 4.0 aligns with the NIST guidance on digital identities for authentication and life cycle management. As the payments industry has gradually moved to the cloud, stronger authentication standards to payment and control access logins are necessary. PCI DSS 4.0 considers:

  • Multifactor authentication (MFA) usage for all accounts that have access to the cardholder data, not just administrators accessing the cardholder data environment.
  • Passwords for accounts used by applications and systems must be changed at least every 12 months and upon suspicion of compromise.
  • Use of strong passwords for accounts used by applications and systems, which must contain at least 15 characters, including numeric and alphabetic characters. PCI DSS requires that the prospective passwords be compared against the list of known bad passwords.
  • Access privileges must be reviewed at least once every six months.
  • Vendor or third-party accounts may be enabled only as needed and monitored when in use.

The PCI DSS 4.0 standard is built with a zero-trust mindset, permitting organizations to build their own unique, pluggable authentication solutions to meet the data security regulatory requirements.

Expanded Applicability of Data Encryption
The latest standard considers broader applicability for encrypting cardholder data, now expanding on trusted networks. In addition, the requirement for data discovery to locate all sources and locations of cleartext primary account numbers (PAN) will be more frequent, at least once every 12 months and upon significant changes to the cardholder data environment or processes. The rationale is that malicious code is one of the biggest problems that financial institutions face. Once the code embeds in the network, information can be retrieved through cardholder data transmission.

Introducing the customized implementation approach to PCI DSS 4.0 gives businesses more flexibility. Organizations are no longer forced to follow the methods prescribed by the standard or implement a burdensome compensating control, and they can focus on selecting and implementing solutions that achieve the intended outcome of a specific PCI DSS objective. Effective IAM and MFA combined with encryption is the overarching principle behind zero-trust security for protecting sensitive cardholder data and online payments.

PCI DSS 4.0 Timeline
The v4.0 updates don’t immediately come into effect for all organizations. To support the adoption of PCI DSS around the globe, the standard and summary of changes will be translated into several languages, and these translations are set for publication over the next few months, between now and June 2022.